Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security The Internet

Internet Security: Where Do We Stand 219

buxton writes "The Economist is running an interesting story which overviews the current global situation on internet security in hackers, terrorism, worms & virii, Microsoft's 'monoculture', and a bunch of other interesting points. Some nice suggestions made by big names in the software industry have been included, such as creating more easily traceable methods of people (i.e. trying to eliminate online anonimity) as a method of preventing hackers. One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward."
This discussion has been archived. No new comments can be posted.

Internet Security: Where Do We Stand

Comments Filter:
  • by ahfoo ( 223186 ) on Monday December 01, 2003 @07:31AM (#7597647) Journal
    Isn't teaching people how to defend themselves using free open source software better than talking about the best way to start up a posse?
    With just IPTables and SpamCop configured properly most of these security problems disappear.
    • by mental_telepathy ( 564156 ) on Monday December 01, 2003 @07:36AM (#7597673)
      Good call. Hey grandma, just type IPTables -t INPUT --dport 80 -j DENY at the command line. Me, I'm getting my family to buy macs. Regardless if you think they are more secure because of OS or more secure because of being a smaller target, right now they are more secure, and you get click-button firewalling.
      • I think everyone else has hit it but I'll say it, too.

        If you really cared about your grandmother enough that you feel it's necessary to hold her up as a debate spectacle on an internet discussion board then you would be more than happy to set up her system so that she doesn't need to worry about any of these technicalities.
    • by quigonn ( 80360 ) on Monday December 01, 2003 @07:44AM (#7597715) Homepage
      The mistake you make is that you don't care about security in multiple layers. Additionally, I would recommend to use a ProProlice [ibm.com]-enabled gcc to compile your server applications, to enable (if your OS provides it) non-executable-stack features, and (when it's finished) my self-written ContraPolice [synflood.at], which adds protection against heap overflows to your applications. Additionally, systrace [umich.edu] might also be a good feature against possible attacks against your system.

      Of course, the things I presented here are only for a small percentage of all services and machines in "big" production environment. So, for more protection, a close look at the client has to be done, too.
    • yes because people are just so intelegent and capable of handling their computers on their own.

      I think this [techtales.com] sums it up.
    • by Maestro4k ( 707634 ) on Monday December 01, 2003 @08:09AM (#7597848) Journal
      • Isn't teaching people how to defend themselves using free open source software better than talking about the best way to start up a posse? With just IPTables and SpamCop configured properly most of these security problems disappear.
      The problem is most people don't want to deal with OSS if that means using Linux. They want to be able to use most of the software that they can find in most stores, share it with friends, etc. As much as I like Linux, I use Windows XP on my main system because I prefer a lot of windows-based tools to linux-based ones. (And this includes free/shareware, not just commercial software.)

      Before someone says it, WINE isn't the answer, not yet anyway. I'm an expert user, and I have troubles with getting things to work under WINE, or at least things I _want_, not just things that will. This is the deal-breaker for your average joes, they won't deal with it.

      Besides, OSS software can be harder to secure right if you don't know what you're doing fully. I think the best approach all around is to hold companies responsible for glaring defeciences. If you have a bug/security hole found every once in a while it's one thing. When you have them found weekly, if not daily, and you have a closed-source product, then there's really no excuse for it.

    • Yeah, IPTables and SpamCop work wonders against buffer overflows, SQL injections, people actively executing malware because they think it's porn, cryptographic weaknesses, cross-site scripting, weak passwords...

      Especially for home-user boxes, packet filters are of pretty little use. Before you block services from being accessed via the big bad internet, why do they have to listen on a public interface in the first place?

  • by Telex4 ( 265980 ) on Monday December 01, 2003 @07:31AM (#7597648) Homepage
    These ideas of eliminating online anonimity need to be offset against the benefits this anonimity brings. It has been a huge boon for political activists in countries with "overbearing" governments, for whistleblowers in all nations, and for all sorts of other reasons.

    To quote an article [tomchance.org.uk] I wrote on this some time ago:

    "During the Kosovo conflict in 1999, a sixteen-year old ethnic Albanian girl, nicknamed "Adona", began an e-mail correspondence with a junior at Berkeley High School, America. She wrote of Serbian forces holding her village to ransom, killing journalists and community leaders, raping women, and finally of her friends and family deserting the village
    ...
    Because of the anarchistic, anonymous nature of the Internet, the Serbian authorities could do nothing to stop this flow of information between its citizens and the outside world, which meant that it could no longer censor all information. This not only gave the people of Kosovo who had some access to these Internet organisations hope and a sense of purpose during the conflict, but helped the international community better understand the circumstances in Kosovo during and after the conflict.
    "
    • by jkrise ( 535370 ) on Monday December 01, 2003 @07:40AM (#7597697) Journal
      I think anonymity is used as a tool by so called 'security firms' to plead helplessness in detecting the source of security breaches. If Microsodft was really sincere in preventing security attacks on it's systems, it should've supporrted the earlier bill - not the present spammer-friendly version.

      In short, the problem is not the anonymity of these cyber-terrorists, it's the accountability-phobia of software firms, at the root cause of these breaches. If we had a law that a 'supplier' of software is bound to fix security breaches and vulns free of cost in his code, we'll suddenly see MS rewriting Windows from scratch for LongHorn.

      The current law is like an alsatian without teeth.

      -
      • by lurvdrum ( 456070 ) on Monday December 01, 2003 @08:25AM (#7597931)
        Such a law would need to go further and make the software supplier liable for consequential losses incurred from using their software. THEN you would see Windows getting a proper rewrite.
        • Such a law would need to ... make the software supplier liable for consequential losses ... THEN you would see Windows getting a proper rewrite.

          No, then you'd never see another version of Windows. Or Linux. Or Microsoft Office. Or OpenOffice. Or any mainstream software produced by anyone, ever.

      • A measure of anonymity is desirable. There's no doubt about that. Since the beginning of modern society people have been coming up with ways to sneak off to clubs, or galas, or parties, or conventions where they can be free of their public identity, if only for a short while.

        Internet security is only a problem due to serious flaws in the Windows model of bringing computer technology to the world. I don't feel that it has anything at all to do with any piece of legislature. The problem with internet sec
    • by RLiegh ( 247921 ) on Monday December 01, 2003 @08:02AM (#7597799) Homepage Journal
      It has been a huge boon for political activists in countries with "overbearing" governments, for whistleblowers in all nations, and for all sorts of other reasons.


      Are you so niave as to not realise that in our increasingly totalitarian world, these are all detriments.

      How do you think John Ashcroft feels about people who percieve the US as having an "overbearing government" being able to speak out anonymously and with impunity?

      Hasn't he gone on record about his views on that?

      And as far as whistle-blowers go; no corporation considers whistle blowing to be a Good Thing, and therefore if they were presented with that angle of online anonymity they would probably pony up Even More Money to fight it.

      So, in short, the reasons you cite are the reasons why online anonymity is now a thing of the past.
      • You talk, apparently, only of America. There are a couple of hundred other countries in the world.
    • Your self promotion aside, the benefits you point out to ensure anonymity don't necessarily need to be all encompassing to the internet. Many corporations offer anonymous *ethics* hotlines internally directing employees to an anonymous email drop box or toll free number that an outside company handles.

      That very email conversation with the 16 year old Albanian girl could have really taken place with a 54 year old Brooklyn man (posing to be the girl of course), how would you know without some sort of identit

    • One thing I try to communicate to the kids is that anonymity implies a total lack of credibility. I am not commenting on the veracity of your post, just the tendency of kids and many adults to believe whatever they are told.

      Communication works when it can be attributed to a known individual or institution. Judgments can then be made by past direct or indirect involvement with those parties. While it certainly true that anonymous communication protects certan parties from certain other parties that wish

    • These ideas of eliminating online anonimity need to be offset against the benefits this anonimity brings.

      OK, let's suppose for a moment that all Internet activity is traceable under judicial supervision by the legal authorities, and no-one else.

      Now, the following people will have to take responsibility for their actions, and one way or another, those actions will stop:

      • spammers
      • crackers
      • kiddie porn merchants
      • on-line credit card fraudsters
      • people who libel others anonymously
      • mass copyright infringers
  • by MrSelfDestruct ( 30535 ) on Monday December 01, 2003 @07:33AM (#7597660) Journal
    "incentivating"
  • by Frans Faase ( 648933 ) on Monday December 01, 2003 @07:33AM (#7597662) Homepage
    It is one or the other. It is impossible to increase security without reducing anonimity. Internet has been hailed for its anonimity, and it is a thing that should be kept. But on the hand it also lacks the possibilities (with the current email protocol) to increase ones security with a reduction of anonimity. For example, there is not yet a possibility to only receive email from people that have revealed their identity with a trusted third party. I am affraid that is mainly a problem of legacy that a secure email protocol has not been deployed yet.
    • Commercial s/w firms would like us to fall into this trap. The bounty model provides for anonymity AND security, not OR. Unless we test this model, we shouldn't be dissing it completely.
    • But on the hand it also lacks the possibilities (with the current email protocol) to increase ones security with a reduction of anonimity. For example, there is not yet a possibility to only receive email from people that have revealed their identity with a trusted third party. .

      Require people to sign their mail with a key signed by the trusted third party. Drop mail from people who don't.

      Granted, this won't stop the mail from hitting your mail server in the first place. But how is this a security risk?

    • by droleary ( 47999 ) on Monday December 01, 2003 @07:51AM (#7597749) Homepage

      It is one or the other. It is impossible to increase security without reducing anonimity.

      Rubbish. Anonymity comes within a context. If you give all your friends keys to your apartment, that doesn't necessarily tell you which individual was nice enough to drop off your mail and water your plants while you were on vacation. Similarly, if you sent me a key in the mail, you will have extended your web of trust, but completely anonymously; neither you or your friends know who I am seen in your apartment.

      For example, there is not yet a possibility to only receive email from people that have revealed their identity with a trusted third party. I am affraid that is mainly a problem of legacy that a secure email protocol has not been deployed yet.

      I'd say you're wrong here, too. SPEWS and other blocklists are examples of exactly that kind of trust issues being applied to current mail systems.

    • by Dr. Evil ( 3501 ) on Monday December 01, 2003 @10:00AM (#7598557)

      That's a pretty weak argument. You're waving around strong statements involving the word 'security', but you only expand upon 'security' in the context of verifying one's identity.

      Email systems which verify identity have existed since PGP. The only reason you're not using it is because your friends aren't. Of course your friends aren't because your not... but why?

      You and your friends likely talk about nothing worth hiding.

      Personally, I think that the real battle is between anonymity and privacy. Anonymity on the Internet provides an uncontrolled avenue for crimes such as cracking, trading in illegal materials, fraud, stalking etc.

      Law enforcement would be happy to abolish anonymity.

      Commerce doesn't like true anonymity because it discards valuable mareting data. They for the most part seem to be happy not knowing that Bob visited the Honda website, but simply that those who visit the Honda website also have shown interest in the following car stereos, bicycle racks, autorepair places, insurance companies... etc. So pseudonymity through random identifiers is generally o.k., but not anonymity.

      However... on the Internet, anonymity is critical for privacy. With crappy security practices by Microsoft etc, it is usually not too hard to link random identifiers to real-world identity, and then before you know it, your insurance company raises your rates because you express interest in fast cars, racing games and car mod sites.

      Total anonymity would protect this.

      And what about pseudonymity? Adopting a pseudonym to hide your true identity and using it to express your views?

      What if your employer obtained your Slashdot ID? and started exploring your posts? What if they didn't like what they saw?

      Without complete anonmity to manipulate the pseudonym, your real-world identity can be determined. How could they do that? Right now, it is tricky. But any action against anonymity makes it easier for them.

      Far worse would be government examples. What if... the government decided that people who have something to hide are criminals and need to be investigated? And the government found out that you were using PGP?

      But I don't have time to fully express this idea... that's the gist of it though.

    • In my experience, anonimity increases security. When people can have anonimity - we don't make lazy assumptions in the way we design our software. It avoids the "well we dont need to make a tight design because we can always trace it back to whoever...." attitude and forces security to be put in a proper context from the beginning.

      Anonimity also encourages "unextorted" behavior. Voteing is a good example - on an individual scale blackmaling someone to vote for a candidate is very difficult. The same ap
  • V-I-R-U-S-E-S (Score:3, Informative)

    by lorcha ( 464930 ) on Monday December 01, 2003 @07:36AM (#7597671)
    Seriously. For more information than you ever wanted to know about why "virii" is incorrect, please see here [perl.com].

    Thank you.
  • Hackers (Score:2, Insightful)

    by pairo ( 519657 )
    I find it funny that I've never seen an article which correctly uses the terms 'hacker' and 'cracker'. This one included, although they don't even mention 'cracker'.
    • Re:Hackers (Score:2, Insightful)

      by PjotrP ( 593817 )
      perhaps because you're the only one using the terms "correctly"?


      if 90% of the people use the terms "incorrectly", maybe you should reconsider your own views on what is correct and what is incorrect?

      • Re:Hackers (Score:5, Insightful)

        by pirhana ( 577758 ) on Monday December 01, 2003 @08:04AM (#7597809)
        >if 90% of the people use the terms "incorrectly", maybe you should reconsider your own views on what is correct and what is incorrect?

        Ofcourse not! Media can herd 90% of the people(or even more) in to thinking whatever they want. That doesnt mean that you should change your views to synchronize with it.
        • Re:Hackers (Score:3, Insightful)

          by kinnell ( 607819 )
          What the parent was pointing out is the meaning of words change over time - if 90% of people understand "hacker" as meaning someone who illegally breaks into computer systems, then it is not incorrect to use the word in this sense, even if those 90% of people have been brainwashed by the media.

          Try going to the grimiest bar in your part of the world, find a random drunken psycho, and tell him he looks gay. Then try to explain that "gay" means "happy" and see what happens.

  • Cliches (Score:2, Insightful)

    by acidrain69 ( 632468 )
    The old cliche of the kiddy hacker in their basement, bragging about their accomplishments on BBSes is a little old, and somewhat funny. No serious hacker talks about what they do. There would be no one to hand you in, because no one but the hacker knows it was them. This wouldn't stop hacking, it MAY stop some kids from running DDoS's on IRC channels because they got 0wn3d on Efnet. (Did they ever get to Efnet 2? haven't been in a while)
    • Re:Cliches (Score:5, Insightful)

      by AllUsernamesAreGone ( 688381 ) on Monday December 01, 2003 @08:01AM (#7597787)
      Actually, it will make the situation worse. think about it - right now you have a (fairly small) group of serious crackers who know that the best way to keep on doing what they do is to STFU and make sure nobody else finds out about them, and you have the much larger group of wannabes and s'kiddies who try to inflate their own ego by public boasts. Now, what happens when you put out a bounty? Well, the vocal one start to get caught or they learn to keep their gob shut. Some of them will stop and move to something else, but some will stay and increase the size of the silent cracker group... and before you know it you wind up in the same situation as modern medicine and antibiotics: your miracle cure has made the problem worse by encouraging the growth of resistant strains of cracker....
  • We're gonna have squads of mercenaries trolling the internet picking off script kiddies (and probably bystanders too) while the real crackers continue to be dicks, and the real white-hats get picked off by the posses.
  • by heironymouscoward ( 683461 ) <heironymouscowardNO@SPAMyahoo.com> on Monday December 01, 2003 @07:38AM (#7597688) Journal
    And people are starting to understand it.

    The Internet is not a planned system. It grows and connects like a natural system obeying laws such as Zipf's Law.

    When it comes to security, the best model for what is going on in the Internet is also an organic model, namely the naturally occuring phenomenon of parasites, and the way these evolve in any real or simulated ecology.

    I've gone into boring detail in my journal [slashdot.org].

    My opinion is that until we use natural models, and learn from them, we will not be able to stop the rising tide of parasitical code that infests the Internet.

    "Monocultures" are a large part of the problem, and the Economist rightly argues that opening the Windows source code to third parties would create more variety and thus more security. But I think we have to go much further, towards systems that actively evolve to protect themselves against parasites.

    I've been criticised for saying this by people who say "it's just a metaphor, it does not mean anything". This is untrue: it is a model, one that we can use to understand what the heck is going on: what are the dynamics behind the process, what are the weaknesses of today's infrastructure, and what are the best solutions.

    Let me summarize this one more time: The internet behaves like an ecology, obeys the same laws as natural ecologies, falls prey to the same problems as natural ecologies, and if we want to create structures that survive these problems, we must understand things in terms of an ecology, not a planned design.
    • I am not sure I agree. "parasitical code" as you call it, is not a natural phenomena on a network. Set up a million computers and tie them together, and no virus will spontaneously be created, nor adapt to countermeasures. If you want to put "parasitical code" on said network, you need a creator. A person willing to commit a crime, for his own gain/amusement/whatever motivates the fucker. So it basically a social problem. If we passed a law stating that writing a virus, would be punishable by death to you,
      • by heironymouscoward ( 683461 ) <heironymouscowardNO@SPAMyahoo.com> on Monday December 01, 2003 @08:33AM (#7597984) Journal
        The key point is that the Internet is not just a million computers, it is a zillion computers plus a zillion people.

        It's the people and their ways of using the Internet that turn it into a natural ecology.

        Laws are not the answer: it will just create a criminal underground. You cannot legislate against human nature - look at the "war on drugs".

        Tighter security is not the answer: every lock designed by a human can be picked by a human.

        Open source is not the answer: any suitably complex system, transparent or not, will have security flaws, usually at the user interface point (think: weak passwords).

        Security patches are not the answer: parasitical code can spread many times faster than any human reaction time.

        I believe the answer is that computer systems will have to evolve something similar to an immune system, based on recognising friend-or-foe, and capable of regular pseudo-sexual exchange to scramble the locks against parasitical code that has adapted. Finally, it is likely that parasitical code will eventually be co-opted (just like the bacteria in our guts) into less harmful roles.

        To put this into context: the wars in your intestine started with the very first life forms and have been one of the basic engines of change in evolution for 3.5 billion years (along with climate change). I believe we're only at the very first stages of this process with the Internet, but inevitably we will follow a similar route.

        Anyhow, I will be long dead before this actually happens. It's just idle speculation.
        • But it is not an ecology you are describing, it is human behavior. Which most certainly can be regulated - indeed the fact, that human nature can be regulated is the basis of cilivilization.

          The fact of the matter is, that "parasitical code" or rather destructive code, is no more than an extension of the aspect of human nature that is destructive.

          If the internet truely were a natural system, virus and the like would never cease to exist - billions of years of evoultion must have taught us that much.
          • You confuse cause and effect.

            Regulation is not the basis of human civilization, it is an effect of it. Whenever people get together to try to cooperate on solving a common problem (and this is the basis for human society), they will define rules and an authority to enforce those rules.

            Attempts to plan or regulate society without respecting the natural tendencies of people tend to create disasters. (Think of any "planned economy").

            And yes, I believe that viruses will never cease to exist. It's been 20 y
            • hmm... I guess we are not going to agree:) I think the crux of the matter is definition. You define the problem as :

              "a self-replicating organic pest that uses human weakness to infest a technical infrastructure. So long as there are people, there will be viruses."

              Whereas I would describe it as

              "a self-replicating program written by a malicious programmer to infest a technical infrastructure. So long as there are people/computers, there will be (computer)viruses."

              I do this because I do not see virus(and o
              • You're right that it is a matter of definition and perspective. I will anyhow try to change your perspective... :)

                There are many cases where complex problems are best understood by looking at people not so much as intelligent, proactive agents of change, but rather as dumb followers of rather simple rules:

                - traffic jams
                - crowds and riots
                - stock markets
                - economic systems
                - political systems
                - transport

                etc. All hefty problems that only make sense when you ignore human proactivity and see people
                • Well, yes. But while it may make sense, to view elements as components in a organic system. It does not make the elements organic. Humans are humans, and computerprograms are computerprograms.

                  More general, while insight undoubtly can be gained from applying biological models to non-biological phenomena, in does not change the the properties of the elements in the model. Understanding an object does not change it, but it can bring change in how the object is perceived.

                  As you can see, I am afraid my perspec
        • every lock designed by a human can be picked by a human

          Nope - what about public/private key crytography? It's easy to create a huge number from 2 primes, and fiendishly difficult to work out what those two primes were afterwards.

          • True, this is an unpickable lock, and my assertion fails.

            However, it is impossible (as far as I can see) to actually implement this in an unbreakable manner. At some point, a cryptographic lock that is used by people depends on human interaction, and at that point, it can be picked, often in the most simple of ways:

            "Hey, random dude, what's your passphrase?"
            "Oh, I can't tell you that!"
            "Go on, I'll give you a free pen"
            "OK, it's MyDogIsSickAgain".
            "Cool, thanks!"
            "You won't use it, will you...?"
            "Nah, of cour
  • by Jerk City Troll ( 661616 ) on Monday December 01, 2003 @07:40AM (#7597699) Homepage
    One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward.

    No clever ideas like this are, were, or ever will be a suitable substitute for implementing real security. People need to wake up and realize that "hackers" are successful because peole still prefer convenience above all else.

    For one, we still have this serious problem of people using software that is fundamentally insecure (Outlook, IE, ISS, Windows, etc). Nobody seems to be getting the point that Microsoft products fail utterly at meeting any of Microsoft's promises about security.

    Of course, I would venture that is not even the biggest problem. People refuse to use strong passwords (or at least change them regularly). Software is not kept updated on servers (I recognize that free and open software like Linux is insecure if you're behind the times). Services are kept wide open so that nobody has to go searching for access (think file shares). Nobody uses encryption (viruses and spam would cease if company mail servers required valid PGP signatures from employees on emails before they got delivered),

    There's so much that needs to be done. The above is hardly an exhaustive list (nor was I making an attempt to create one), but nobody seems interested in taking a crack at what really matters. Instead most seem to be more interested in silly ideas like "hacker bounties" which would be utterly ineffective against a group of people which do not seem to fear consequences for their actions.

    Cure the sickness; don't treat the symptoms.

    • "problem of people using software that is fundamentally insecure (Outlook, IE, ISS, Windows, etc). "

      I can understand how the ISS could be fundamentally insecure. I mean, who'd a thunk you'd have to lock your doors in space too! Damn kids and their space station jacking gang wars in space.
    • No clever ideas like this are, were, or ever will be a suitable substitute for implementing real security. People need to wake up and realize that "hackers" are successful because peole still prefer convenience above all else.

      What about when you get people to realize the risks of hackers and they still think the cost in time and effort is not worth it?
      - "You can either take 50 hours worth of classes in internet security or you can reinstall your computer every fourth month because of hackers and virus inf
      • You can either take 50 hours worth of classes in internet security or you can reinstall your computer every fourth month because of hackers and virus infestations

        I'd like to point out that these are not practical and they're not what I'm suggesting.

        50 hours is overkill in training most employees about security, although something in that neighborhood is appropriate for managers to get them to appreciate the value of security. Policies and procedures handed down to them by IT should be sufficient. (Of

    • We've learned from millenia in meatspace that you need more than one tool if you want to limit antisocial behavior.

      We have locks and alarms, we have liability laws for vendors who supply unsafe goods, and we offer rewards for informing on criminals.

      >silly ideas like "hacker bounties" which would be utterly ineffective against a group of people which do not seem to fear consequences for their actions.

      Wouldn't destructive virus writers be more fearful if they knew that their "friends" might turn them in
  • by pubjames ( 468013 ) on Monday December 01, 2003 @07:43AM (#7597712)

    Isn't eliminating online anonimity practically impossible? What about cybercafes, for instance? (Although not big in the USA, cybercafes are one of the main ways to access the internet in many poorer countries)

    Secondly, supposing you did manage it by imposing some kind of draconian laws i.e. you have to log on at all cybercafes with some universal ID. Then wouldn't identity theft become an even bigger problem - i.e. hackers would pinch other peoples identities to hack.

  • by pvt_medic ( 715692 ) on Monday December 01, 2003 @07:43AM (#7597713)
    While total security will never be achieved, I feel that there are efforts that can be made to minimize the effects of hackers.

    The internet will never have total security. There will always be ways around any programing that was made. There will always be bugs, loop-holes, etc. We are not perfect in our ability to program, and subsequently are coding is not perfect.

    But with this being said that doesnt mean that we cant do anything to help protect ourselves. We can make effective practices of protecting systems by physical methods. If you dont want people to hack your system dont connect it up to the internet. While I know that those nuclear technicians love to surf the web while at work, but that doesnt have to be the same system that runs the reactor.

    Virus writers will always exist, just like music sharing, and ads [slashdot.org]. The key is just how you will negate their effects.
  • we stand hunched (Score:2, Interesting)

    by Anonymous Coward
    Microsoft is far behind in the security world. Their "Security is #1" is just bull to make people feel better about using Windows.

    If Microsoft is so secure, how come it:
    1. doesn't support APOP in outlook [express]?
    2. doesn't support IPsec tunnel?
    3. still supports Frontpage?
    4. doesn't let you see whats going on (netstat on unix shows process related to the socket opened, windows does not)

    on and on..
    Why is the only way to somewhat-secure Windows limited to buying third-party apps?
    • 1. doesn't support APOP in outlook [express]?

      Because Outlook Express is a pretty mediocre piece of software all the way around?

      2. doesn't support IPsec tunnel?

      Huh? Windows supports IPSec tunnels just fine, as long as you aren't using Win95/98/ME. You aren't using ME, are you?

      3. still supports Frontpage?

      Umm, because it's a successful commercial product? Duh? Perhaps you meant to ask why they don't improve FrontPage in any meaningful way?

      4. doesn't let you see whats going on (netstat on unix shows pr

  • Just what we need... (Score:5, Interesting)

    by Noryungi ( 70322 ) on Monday December 01, 2003 @07:45AM (#7597718) Homepage Journal
    Pay low-life a lot of money to catch other low-lifes. Yeah right.

    Imagine this: your little sister sits in front of her computer, ready to send the latest pix of her little doggy to your grandma.

    Five cops burst through the door and arrest her for spreading that noxious "I love goatse.cx!" virus. Yes, that virus. The one that installs a spambot on your Windows machine.

    Her crime? She clicked on that little "Rudolph the red-nosed reindeer e-postcard" that was sent to her by the nice girl she chatted with yesterday.

    End result? '000s of $$$ spent in legal fees and millions of dumb IIS/Exchange servers crashed all over the world. And one very rich bastard, laughing all the way to the bank for denouncing an innocent.

    Thank you, The Economist. Great idea.

    Here is my offer: banish Microsoft products everywhere. Replace with medium- (Linux) to high-security (OpenBSD)OS everywhere and watch the [virus|worm] problems disappear. Oh, and make spamming a crime punishable by public castration. That should do the trick.
    • I agree, the idea of having "hackers" chase eachother for a "bounty" is pretty stupid if you ask me. It could lead to all sorts of problems.

      Who better than a "hacker" to set someone else up to take the fall for spreading a virus? Root their box, get it to distribute the virus, leave a development trail in their files, post some whacko "hacker shit" to usenet, write some evil manif3sto and put it in a hidden directory, cover your tracks and then call the feds on them.

      You could even drop some kiddie porn
  • by maroberts ( 15852 ) on Monday December 01, 2003 @07:51AM (#7597744) Homepage Journal
    See if you can get the most bounty on your head! Open to script kiddies everywhere!
  • brilliant idea (Score:3, Interesting)

    by truffle ( 37924 ) on Monday December 01, 2003 @07:53AM (#7597756) Homepage

    Bounty system, wow, that's a brilliant idea.

    Instead of hacking systems, hackers can instead hack systems, frame teenage kids, and make money! Sweet!
  • "It might become legal, for instance, to have credit cards for online transactions under different names, as long as these could still be traced to the individual owner"

    If the government can do it, why couldn't a cracker?

  • One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward.

    That's not interesting at all. As covered here [slashdot.org], that's what MS thinks is the way to address the issue. All that's interesting about that situation is that they've set aside 10 times as much money as they have current bounties for; how is expecting 10 times as many security issues in the future consi

  • by jkrise ( 535370 ) on Monday December 01, 2003 @07:58AM (#7597775) Journal
    I think MS and most other s/w firms like to have a 'recurring income model' for s/w, rather than a one-time fixed income model. It follows therefore, that some 'value' has to be delivered to the customer, to justify the expenditure.

    For an OS and Office writer, which is what MS basically is, it helps to dedliver this 'value' in terms of Service Packs and bug fixes for problems it was responsible in creating, and which it is morally obliged to undertake for free, rathre than for an annual 'Subscription (Dis)Advantage Agreement'.

    Thus, it is more crucial to know of MSs plans, rather than where we stand currently - while discussing this topic of security. If MS gets away with Palladium, they might actually write secure code; if Palladium fails to take off, users will have to live with these worms and security hazards.

    Which is why I posted this earlier, and got modded Flamebait!!
    " Where does Microsoft want us to go tomorrow? (Bankrupt, yes,.. that sems to be the answer).

    Whereveer we stand now, we stand naked - ready for exploitation; the situation isn't changing fast, either."
  • by Anonymous Coward on Monday December 01, 2003 @07:59AM (#7597778)
    "I'm kind of a fan of eliminating anonymity," says Alan Nugent, the chief technologist at Novell, a software company, "if that is the price for security."

    On the surface, this is a sensible statement, but this is the kind of thinking which must be debunked at all costs. What is needed are systems which allow anonymity where it is valuable and eliminate it where it is not.

    Just as in the real world, we have the option of using our credit cards to buy groceries, and cash to buy or anti-government literature, the internet needs security where security is important and must still provide anonymity where users judge it to be important to them. To say it is impossible to provide both shows a failure of imagination on the part of the commentator.

    Enforcing security by exposing everybody to scrutiny denies us freedom. Don't let it happen. Chose the right to be an anonymous coward, if that's what your subject demands.
  • by Maestro4k ( 707634 ) on Monday December 01, 2003 @08:03AM (#7597802) Journal
    • One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward.
    If anyone thinks this will work, then I feel sorry for them. Hackers by and large aren't going to rat on each other. There's one really good reason -- if the one they ratted on finds out who they are, or his/her friends find out, then the rattee is going to be in deep doodoo fast. Facing this, they'll just take the route of least resistance and easy moolah and rat out innocents or even set up innocents and report them.

    Think about it, how hard is it to infect the average joe's computer with a trojan, worm or virus? History (heck, recent history in fact) shows us that it's not terribly hard. For some of these worms/etc. that come out, you don't even have to click on anything to get infected! So it'd be easy as pie to set someone up. Just infect their machine with a trojan, make their machine do Evil Things (tm) while they're actually active on it, cover your tracks, and report. Law enforcement tends to be overexuberant on catching cyber evil-doers, and there's a more than fair chance they won't dig deep enough to notice the tracks the hacker left on the innocent guy's computer.

    And to be honest, they probably won't get the chance to. How many average joes out there have done something not-so-legal? Probably a lot, it seems everyone and their brother's wife have illegal software of some sort to hear people casually talk about it. I've heard customers at Wal-mart ask employees if they can install ___ software on more than one computer. (Often it's anti-virus software they're asking about ironically.) When average joe is faced with getting in trouble for the stuff he knows he's done wrong, he'll probably cop a plea bargain to avoid that coming to light. And law enforcement will go along, after all it will look like a win for them on the public relations front.

    For those that will scream that law enforcement wouldn't do these things, I can only tell you that I hope you never get to find out first-hand just what they will and won't do. I had the misfortune and it was a real eye-opener. I prefer not to go into specifics, but I will say that before my experience I never believed any of the supposed "conspiracy theories"/etc. about how bad law enforecment and/or the FBI/etc. were. Now I think they're all dead on.

    Bottom line, putting out bounties on cyber-criminals would result in many innocent victems, and probably very very few real criminals being caught.

  • Hypocrisy (Score:2, Interesting)

    by Anonymous Coward
    The gist of Mr Geer's argument is that Microsoft has over the years created "unacceptable levels of complexity" in its computer code. It has done so because its main objective has been to lock users into its software by tying the Windows operating system together with applications such as Word, Explorer and Outlook...

    Not surprisingly, Microsoft bristles at this line of thought. The only reason the firm has been bundling the operating system with applications is that customers want it to, says Mike Nash, a
  • But why... (Score:4, Insightful)

    by RyoSaeba ( 627522 ) on Monday December 01, 2003 @08:47AM (#7598074) Journal
    From the article:
    In 2000, a hacker named Vitek Boden broke into the computers of an Australian sewage plant and leaked raw effluent into rivers and parks, killing fish but no people.

    But why, in the first place, did those computers have outside access? Or rather, entry points.
    If a computer is controlling a really important piece of hardware (nuclear plant, anyone?), I sure hope it is NOT connected to ANY outside network, for whatever reason. And if it is, the one who decided it was a good idea should be held responsible for whatever happens, and lose his job, get a big fine that will make sure he will NOT EVER make the same mistake... Maybe this way security will be a level higher.
  • by Cyno01 ( 573917 ) <Cyno01@hotmail.com> on Monday December 01, 2003 @09:09AM (#7598218) Homepage
    Virii is a perfectly cromulent word.
  • by b0z0mind ( 697506 ) on Monday December 01, 2003 @09:18AM (#7598289)
    The real problem is that social research has shown that incentives simply do NOT work. In fact, adding rewards has been shown to reduce the number of people that get turned in compared to when no intervention is used at all. A real solution would focus on determining and eliminating the intrinsic motivators fueling the hackers. For a good overview/compendium/analysis, read Punished by Rewards: The Trouble with Gold Stars, Incentive Plan$, A's, Praise, and Other Bribes by Alfie Kohn
  • Talking about patches from M$ and how it's monopoly plays in all this:

    But the patches often create more security problems than they fix, and there is a fear that Microsoft might use such regular access to desktops to keep rival software-makers away, thus reinforcing the source of the original problem, its monoculture. "If you don't trust us to download our patch, then you shouldn't be running our software," counters Mr Charney [a M$ exec], as if consumers had a real choice.

    I almost choked when I read th

  • by bigberk ( 547360 ) <bigberk@users.pc9.org> on Monday December 01, 2003 @10:02AM (#7598569)

    One of the growing problems is the large base of broadband-connected (cable, DSL) users that ISPs insist on putting on dynamic IP address pools. We all know that there is no technical advantage to the dynamic IP addresses, since practically everyone is connected 24/7 (this is not the same situation with dial-in modem pools, where dynamic IPs are the best way to go).

    If ISPs allocated static IP addresses to all their cable/DSL customers, we would see tremendous security gains because customers' addresses would stand still while they are tracked down.

    • Anti-spam/proxy/hijack systems would see abuse coming from a particular IP and could more easily identify that abuse source without huge collateral damage. Currently, DNSBLs are force dto list entire netblocks, or even all dynamic IP addresses!
    • Responsible parties would be easier to track down, regardless of type of abuse and historical records found online (e.g. IPs in logfiles) could be associated with a single entity
    • Infected hosts that are spewing worms by any method could be automatically blocked by routers/gateways, since the IP address is constant

    Perhaps it's time to see some government regulation that requires that an ISP that provides broadband services where customers are connected more than X% of the day has to provide a static IP address. ISPs like to provide dynamic addressing because they have a persistent fear of people 'running their own servers' (bullshit), plus they can sell static IP addresses. Their approach is detrimental to general Internet security.

    Imagine if there was a type of cheap cell phone service designed to facilitate outgoing calls only, accomplished via a dynamic origin phone number (that changed daily), making nearly impossible to have someone phone you back. Don't you think such a phone would be a huge source of all kinds of abuse? That's what ISPs are making possible by dynamic IP addresses on broadband customers. These hosts become rogue, because they are moving targets.

    • by WuphonsReach ( 684551 ) on Monday December 01, 2003 @11:13AM (#7599252)
      One of the growing problems is the large base of broadband-connected (cable, DSL) users that ISPs insist on putting on dynamic IP address pools. We all know that there is no technical advantage to the dynamic IP addresses, since practically everyone is connected 24/7 (this is not the same situation with dial-in modem pools, where dynamic IPs are the best way to go).

      It has more to do with the costs of providing that service. Giving your customers static IPs involves support costs unlike DHCP's plug-n-go. A rough guess would be that for every customer you'll end up spending 5 minutes of support time if you use static IPs. And that's just support call time.

      Now add in churn of 10% (very rough guess) per month for a few thousand customers and the administration costs of keeping track of a static IP system start to factor in. Stuff like handing out new addresses, releasing addresses for accounts that have been canceled - some of which can be automated if you pay $$$ for the capability.

      OTOH, configuring a DHCP server is pretty much a once and done deal. Scales nicely, requires little-to-no end-user knowledge, and is a lot cheaper.

      Unless it gets to the point where going the DHCP route becomes more expensive then administering static IP addresses, you're not going to see a change in the way ISPs do business.
  • by tqbf ( 59350 ) on Monday December 01, 2003 @10:16AM (#7598645) Homepage
    Jerry Ungermann, the president of Check Point, the world's largest vendor of firewalls, boasts that none of his customers was affected by Blaster...

    Is this really the president of one of the largest network security companies in the market claiming that not one company in Checkpoint's 90% market share was affected by MSBlaster?

  • There's no excuse for a word like that. People have been shot for less.
  • Given that the magazine is the Economist, I'm surprised they didn't suggest letting "the market" work out the issues before they started screaming for the end of anonymity on the interweb.
  • by werdna ( 39029 ) on Monday December 01, 2003 @11:08AM (#7599189) Journal
    Let's see, a bounty for the head of the cracker who did the deed.

    Let's say I am really, really good.

    Let's say that the cracker who did the deed is really, really good and very dangerous.

    Let's say that the bounty is really, really high.

    Let's say that there is another cracker, call him "stooge," who is really good, somewhat dangerous, but not as good or dangerous as am I.

    I want the bounty, I can very effectively frame stooge, who is pretty darn good, but framable, and not so dangerous.

    or i can go after someone who is much better and more dangerous.

    Looks like all a bounty system would do is incentivize crackers to do very effective jobs of framing innocent, less effective, hackers.

    The Economist should know more about Economics.
  • but do precious little to keep out the crooks. Finding ways to mitigate online anonymity might, in Darwinlike fashion, weed out the script kiddies, but would likely do little to keep good crackers and outright crooks from staying anonymous.

    Use of disguise and false identities has been a criminal (and espionage) tool for hundreds of years, despite extensive efforts of governments to document and prevent such conduct. Why would this be any different? Except now, only the crooks will have anonymous identit
  • Sir:

    This is OT, it's just a warning to "consider the source."

    The Economist has, in the past decade, gone from being reasoned and sensible to a shrill mouthpiece for The Right. Any story bigger than one column inch becomes a vehicle for what can best be described as capitalist propaganda.

    Even after their hawkish view on Iraq --that Saddam posseses WMDs and is an imminent threat -- stands discredited, they still toe the neocon line.

    The only thing left of value in The Economist is the wonderful charts and
  • Really, if you start getting a bounty on hackers, then it makes it a viable options for a careers. Perhaps not a full-time career, but maybe a side-job in addition to your pay-the-rent-feed-the-family type employment.

    A lot of people argue that bounties will drive hackers (for the assumption of the article, blackhat varieties) underground, or perhaps incite turning in innocents for money... which is likely possible. You might want to consider that after a certain period of time, a process will be garnere
  • Make commercial software vendors strictly responsible for damage due to security holes.

    A few hundred lawsuits later, everything will be as tight as it was in the Multics days.

Life is a game. Money is how we keep score. -- Ted Turner

Working...